USENIX ;login: - Application Note

application note

by Eljakim Schrijvers
<info@eljakim.nl>

Eljakim Schrijvers is an independent consultant residing in central Holland who specializes in database applications for the Web. He also coaches the Dutch Computing Olympiad and is an avid underwater hockey player.

[Editor's note: Application Notes are short articles that solve specific problems that might arise at readers' sites. Feel free to submit short articles like this to <login@usenix.org>.]

Problem
I have a private network that is connected to the outside world via a firewall. The private systems are invisible to the outside world. The firewall is running Linux. On the inside is a Windows NT server that is serving several domains. I had all the IP masquerading up and running and everything was running smoothly until I wanted to serve one of the domains from the firewall itself, and another domain from another Linux server. So I had to stop blindly forwarding the IP packages for port :80 to the private server. I also couldn't just redirect my outside clients to a different IP address based on the domain name, because the private servers are invisible to the outside world.

Solution
STEP #1
I figured out the ProxyPass option of Apache. This option lets your server serve Web pages from a different domain as if you had the entire domain mirrored. You have to provide the virtual path under which the other domain will be a server. For instance, proxypass /foo/ http://www.foo.com/ will serve http://www.foo.com/bar when a client requests http://yourhost/foo/bar. Using / for virtual path will serve everything from the other server. Note that this is something other then redirecting, since the client will not know where you're getting the data from. It will think you are serving all the requests.

I edited the httpd.conf file and added the following lines:

# Pass all requests for www.myfirstdomain.com on to # the server that has ip address PRIVATEIP1 <VirtualHost EXTERNALIP> ServerName www.myfirstdomain.com ProxyPass / http://PRIVATEIP1/ </VirtualHost>

# Pass all requests for www.myseconddomain.com on # to the server that has ip address PRIVATEIP2 <VirtualHost EXTERNALIP> ServerName www.myseconddomain.com ProxyPass / http://PRIVATEIP2/ </VirtualHost>

# Handle all requests for www.mythirddomain.com from # directory /www/mythirddomain/ <VirtualHost EXTERNALIP> ServerName www.mythirddomain.com DocumentRoot /www/mythirddomain/ </VirtualHost>

Note that even though IP addresses PRIVATEIP1 and PRIVATEIP2 are not visible to the outside world, the Web pages are served by the correct server.

If every internal server would serve requests for only one domain, you would be done by now. However, the transition that Apache does loses the original domain name. Apache requests a document from the internal server and approaches the server by its IP address. In order to serve multiple domains from one internal server, I had to find a way to keep the domain name from getting lost during the transition.

STEP #2
I set up the nameserver of the firewall (named) to resolve www.myfirstdomain.com and www.myseconddomain.com. It resolves the names to the private IP address. Because the outside world does not use my firewall as a DNS server, this does not cause any problems. I could now tell Apache to pass all requests for www.myfirstdomain.com on to the same domain. Since the domain name resolves to the private server, everything now works fine.

Even though the new httpd.conf file looks rather trivial, this method works perfectly.

<NameVirtualHost EXTERNALIP>

# Handle all requests for www.mythirddomain.com from # directory /www/mythirddomain/ <VirtualHost EXTERNALIP> ServerName www.mythirddomain.com DocumentRoot /www/mythirddomain/ </VirtualHost>